EC-Council CEH

Certified Ethical Hacker Domain 1: Background

July 8, 2019 by Howard Poston

About the Domain

The first domain of the Certified Ethical Hacker exam is designed to test a candidate’s knowledge of everything that you need to know to practice ethical hacking which isn’t specific to the information security domain. This includes the fundamentals of networking, how various Internet-enabled protocols and technologies work and some of the most common attack vectors and security solutions.

Due to the amount of information covered by this domain, it’s one of the largest of the seven domains on the exam (edged out by tools and security). Twenty-seven of the exam’s 125 questions are devoted to this topic.

What’s Covered

This domain of the exam is intended to test an applicant’s understanding of the fundamental knowledge necessary to practice ethical hacking. The domain is broken into three subdomains: network and communication technologies, information security threats and attack vectors and information security technologies.

Network and Communication Technologies

The first subdomain covers the basics of networking and communication technologies. The CEH exam is designed to have ten questions on this subject, or about 8 percent of the total exam.

By networking technologies, the EC-Council means networking hardware, infrastructure and so on. On the hardware side, understanding the purpose and function of a firewall is a must, as well as the differences between a hub, switch and gateway. A candidate should know what a router is, what it does and how it works.

On the software side, a CEH candidate should have taken a networking course or had equivalent experience. It’s useful to know how the TCP and ARP protocol work, the basics of the OSI networking model, how IP addresses and subnetting work and the port numbers of important, common services (such as HTTP, DNS and SNMP).

The term “communication technologies” is used by the EC-Council as a catch-all for any way that people can communicate via the Internet. In their exam blueprints, the EC-Council specifically calls out the Web 2.0 and Skype, but a candidate should understand other, similar technology as well. For this section, it’s also useful to understand how each of the common networking protocols (such as DNS and SMTP) work and be able to understand the function and correctness of a sample session.

Information Security Threats and Attack Vectors

The second subdomain in the Background section of the exam covers information security threats and attack vectors. This section consists of 9 questions (7.2% of the exam). In this section, the only thing explicitly called out in the exam blueprints is “malware operations.” For these questions, it’s necessary to know the various classifications of malware (cluster, macro, multipartite and so on). The exam may also test you on identifying some famous malware variants from a description, such as Conficker and Melissa.

While not mentioned in the blueprint, this section also covers attack vectors other than malware. At a minimum, an applicant should be familiar with the OWASP Top Ten list of Web application vulnerabilities, especially the various forms of injection, as well as attacks like Connection String Parameter Pollution (CSPP). Take the time to get hands-on experience with some of these attacks using a tool like WebGoat. And be sure to know who created WebGoat! It’s useful for both your exam and career as a penetration tester.

Information Security Technologies

The final subdomain in this section covers information security technologies. This is a pretty wide subdomain which covers a variety of topics. Eight questions (6.4%) on the exam are devoted to testing knowledge of this section.

The EC-Council’s exam blueprint specifically mentions mobile technologies (e.g., smartphones, tablets), telecommunication technologies, and backups and archiving solutions for this section. In order to prepare for the mobile section, an applicant should understand the basics of how smartphones work, how their threat surface differs from traditional desktop computing and mobile-specific terms and technologies like BYOD. Telecommunication technologies covers VOIP and other common Internet-enabled communication protocols. Finally, the applicant should understand techniques and technologies for backups and archiving spanning everything from tapes (including how they should be stored, read and so on) to cloud storage to network shares, including the security ramifications and procedures for each.

How to Prepare

Theoretically, a candidate for the CEH certification should be already familiar with all of these concepts. If not, a good starting point is a basic networking course where they can learn the basics of the OSI model, how common Internet protocols work and so on. These courses are taught at most universities or are available online from a variety of sources.

At that point, they’d be prepared to study the basics of information security, including common attacks and basic device functionality. A good starting point for this is the OWASP Top Ten list which, given some study and practice, is almost guaranteed to net the applicant a few questions on the exam. Once the basics are covered, it may be a good idea to enroll in a training course designed to bring the candidate up to speed on the specific knowledge that they’ll need for the exam and for the rest of their career.

In the end, some of the preparation for this section of the exam comes down to memorization. Knowing important port numbers, DNS record types, NetBIOS codes and so on is essential to some questions on the exam and extremely helpful for others. Taking the time to sit down and put in the time to memorize these things can be the difference between passing and failing the exam.



  1. CEH Exam Blueprint v2.0, EC-Council
  2. CEH Exam Blueprint v3.0, EC-Council
  3. Category:OWASP Top Ten Project, OWASP
  4. Category:OWASP WebGoat Project, OWASP
Posted: July 8, 2019
Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published. Required fields are marked *